{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,23]],"date-time":"2025-12-23T00:28:41Z","timestamp":1766449721641,"version":"3.45.0"},"reference-count":104,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2017,10,21]],"date-time":"2017-10-21T00:00:00Z","timestamp":1508544000000},"content-version":"vor","delay-in-days":365,"URL":"http:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CNS-1222680, CNS-1253346, CNS-1464087, CNS-1464088, CNS-1513690, CNS-1526718, CNS-1540217"],"award-info":[{"award-number":["CNS-1222680, CNS-1253346, CNS-1464087, CNS-1464088, CNS-1513690, CNS-1526718, CNS-1540217"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Comput. Surv."],"published-print":{"date-parts":[[2017,9,30]]},"abstract":"<jats:p>The security research community has invested significant effort in improving the security of Android applications over the past half decade. This effort has addressed a wide range of problems and resulted in the creation of many tools for application analysis. In this article, we perform the first systematization of Android security research that analyzes applications, characterizing the work published in more than 17 top venues since 2010. We categorize each paper by the types of problems they solve, highlight areas that have received the most attention, and note whether tools were ever publicly released for each effort. Of the released tools, we then evaluate a representative sample to determine how well application developers can apply the results of our community\u2019s efforts to improve their products. We find not only that significant work remains to be done in terms of research coverage but also that the tools suffer from significant issues ranging from lack of maintenance to the inability to produce functional output for applications with known vulnerabilities. We close by offering suggestions on how the community can more successfully move forward.<\/jats:p>","DOI":"10.1145\/2996358","type":"journal-article","created":{"date-parts":[[2016,10,25]],"date-time":"2016-10-25T08:37:00Z","timestamp":1477384620000},"page":"1-30","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":54,"title":["*droid"],"prefix":"10.1145","volume":"49","author":[{"given":"Bradley","family":"Reaves","sequence":"first","affiliation":[{"name":"University of Florida"}]},{"given":"Jasmine","family":"Bowers","sequence":"additional","affiliation":[{"name":"University of Florida"}]},{"given":"Sigmund Albert","family":"Gorski III","sequence":"additional","affiliation":[{"name":"North Carolina State University"}]},{"given":"Olabode","family":"Anise","sequence":"additional","affiliation":[{"name":"University of Florida"}]},{"given":"Rahul","family":"Bobhate","sequence":"additional","affiliation":[{"name":"University of Florida"}]},{"given":"Raymond","family":"Cho","sequence":"additional","affiliation":[{"name":"University of Florida"}]},{"given":"Hiranava","family":"Das","sequence":"additional","affiliation":[{"name":"University of Florida"}]},{"given":"Sharique","family":"Hussain","sequence":"additional","affiliation":[{"name":"University of Florida"}]},{"given":"Hamza","family":"Karachiwala","sequence":"additional","affiliation":[{"name":"University of Florida"}]},{"given":"Nolen","family":"Scaife","sequence":"additional","affiliation":[{"name":"University of Florida"}]},{"given":"Byron","family":"Wright","sequence":"additional","affiliation":[{"name":"University of Florida"}]},{"given":"Kevin","family":"Butler","sequence":"additional","affiliation":[{"name":"University of Florida"}]},{"given":"William","family":"Enck","sequence":"additional","affiliation":[{"name":"North Carolina State University"}]},{"given":"Patrick","family":"Traynor","sequence":"additional","affiliation":[{"name":"University of Florida"}]}],"member":"320","published-online":{"date-parts":[[2016,10,21]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.33"},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/2627393.2627399"},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/2351676.2351717"},{"volume-title":"Retrieved","year":"2012","key":"e_1_2_1_4_1","unstructured":"Androguard. 2012. Androguard Home Page. Retrieved September 24, 2016, from https:\/\/github.com\/androguard\/androguard."},{"key":"e_1_2_1_5_1","volume-title":"Retrieved","author":"Documentation Android Developer","year":"2015","unstructured":"Android Developer Documentation. 2015. Building Apps with over 65K Methods. Retrieved September 24, 2016, from http:\/\/developer.android.com\/tools\/building\/multidex.html."},{"key":"e_1_2_1_6_1","volume-title":"Retrieved","author":"Blog Android Developers","year":"2009","unstructured":"Android Developers Blog. 2009. Backward Compatibility for Android Applications. Retrieved September 24, 2016, from http:\/\/android-developers.blogspot.com\/2009\/04\/backward-compatibility-for-android.html."},{"key":"e_1_2_1_7_1","volume-title":"Retrieved","author":"Blog Android Developers","year":"2011","unstructured":"Android Developers Blog. 2011. Custom Class Loading in Dalvik. Retrieved September 24, 2016, from http:\/\/android-developers.blogspot.com\/2011\/07\/custom-class-loading-in-dalvik.html."},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23247"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/2594291.2594299"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382222"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420957"},{"volume-title":"Retrieved","year":"2009","key":"e_1_2_1_12_1","unstructured":"Baksmali. 2009. Baksmali Home Page. Retrieved September 24, 2016, from https:\/\/github.com\/JesusFreke\/smali."},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/2351676.2351722"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/2259051.2259056"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.5555\/2671225.2671290"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.62"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/2259051.2259052"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/2462096.2462100"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.5555\/2831143.2831185"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/2766498.2766507"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/1999995.2000018"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2015.89"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-33167-1_3"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/2594368.2594391"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2766498.2766509"},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/2462456.2464462"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.5555\/646153.679523"},{"volume-title":"Retrieved","year":"2015","key":"e_1_2_1_28_1","unstructured":"dex2jar. 2015. pxb1988\/dex2jar. Retrieved September 24, 2016, from https:\/\/github.com\/pxb1988\/dex2jar."},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516693"},{"volume-title":"Proceedings of the Workshop on Mobile Security Technologies.","author":"Elish Karim O.","key":"e_1_2_1_30_1","unstructured":"Karim O. Elish, Danfeng Yao, and Barbara G. Ryder. 2012. User-centric dependence analysis for identifying malicious mobile apps. In Proceedings of the Workshop on Mobile Security Technologies."},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.5555\/1924943.1924971"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/2619091"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.5555\/2028067.2028088"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2009.26"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382205"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046707.2046779"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/2635868.2635869"},{"key":"e_1_2_1_38_1","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy (SP\u201916)","author":"Fratantonio Yanick","year":"2016","unstructured":"Yanick Fratantonio, Antonio Bianchi, William Robertson, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2016. TriggerScope: Towards detecting logic bombs in Android apps. In Proceedings of the IEEE Symposium on Security and Privacy (SP\u201916)."},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/2786805.2786873"},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/2594291.2594299"},{"volume-title":"Proceedings of the 2015 Mobile Security Technologies Workshop.","author":"Gallingani D.","key":"e_1_2_1_41_1","unstructured":"D. Gallingani, R. Gjomemo, V. N. Venkatakrishnan, and S. Zanero. 2015. Static detection and automatic exploitation of intent message vulnerabilities in Android applications. In Proceedings of the 2015 Mobile Security Technologies Workshop."},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23323"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.5555\/2486788.2486799"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23089"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/2185448.2185464"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/2594368.2594390"},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/2557547.2557563"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813606"},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.5555\/2831143.2831205"},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/2568225.2568301"},{"key":"e_1_2_1_51_1","volume-title":"Proceedings of the Workshop on Mobile Security Technologies (MoST\u201912)","author":"Kim Jinyung","year":"2012","unstructured":"Jinyung Kim, Yongho Yoon, Kwangkeun Yi, and Junbum Shin. 2012. ScanDal: Static analyzer for detecting privacy leaks in Android applications. In Proceedings of the Workshop on Mobile Security Technologies (MoST\u201912)."},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/2614628.2614633"},{"key":"e_1_2_1_53_1","volume-title":"Proceedings of the Cetus Users and Compiler Infrastructure Workshop (CETUS\u201911)","author":"Lam Patrick","year":"2011","unstructured":"Patrick Lam, Eric Bodden, Ondrej Lhot\u00e1k, and Laurie Hendren. 2011. The soot framework for Java program analysis: A retrospective. In Proceedings of the Cetus Users and Compiler Infrastructure Workshop (CETUS\u201911)."},{"key":"e_1_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.5555\/1765931.1765948"},{"key":"e_1_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/2639108.2639131"},{"key":"e_1_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1145\/2516760.2516769"},{"key":"e_1_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1145\/2644805"},{"key":"e_1_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1007\/11575467_11"},{"key":"e_1_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23287"},{"key":"e_1_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382223"},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/2491411.2491450"},{"key":"e_1_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1145\/2635868.2635896"},{"key":"e_1_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1109\/ARES.2014.12"},{"key":"e_1_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/2818000.2818036"},{"key":"e_1_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.5555\/2831143.2831206"},{"key":"e_1_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/2627393.2627417"},{"key":"e_1_2_1_67_1","unstructured":"Nicolas Nethercote. 2004. Dynamic Binary Analysis and Instrumentation. Ph.D. Dissertation. University of Cambridge. http:\/\/valgrind.org\/docs\/phd2004.pdf."},{"key":"e_1_2_1_68_1","volume-title":"Retrieved","author":"Northcraft Patrick","year":"2014","unstructured":"Patrick Northcraft. 2014. Android: The Most Popular OS in the World. Retrieved September 24, 2016, from http:\/\/www.androidheadlines.com\/2014\/02\/android-popular-os-world.html."},{"key":"e_1_2_1_69_1","doi-asserted-by":"publisher","DOI":"10.1145\/2393596.2393600"},{"key":"e_1_2_1_70_1","doi-asserted-by":"publisher","DOI":"10.5555\/2534766.2534813"},{"key":"e_1_2_1_71_1","doi-asserted-by":"publisher","DOI":"10.1145\/2487568.2487569"},{"volume-title":"Retrieved","year":"2016","key":"e_1_2_1_72_1","unstructured":"ProGuard. ProGuard Home Page. 2002. Retrieved September 24, 2016, from http:\/\/proguard.sourceforge.net\/."},{"key":"e_1_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23066"},{"key":"e_1_2_1_74_1","doi-asserted-by":"publisher","DOI":"10.1145\/2435349.2435379"},{"key":"e_1_2_1_75_1","doi-asserted-by":"publisher","DOI":"10.5555\/2831143.2831145"},{"key":"e_1_2_1_76_1","doi-asserted-by":"publisher","DOI":"10.1145\/199448.199462"},{"key":"e_1_2_1_77_1","doi-asserted-by":"publisher","DOI":"10.5555\/647170.718289"},{"key":"e_1_2_1_78_1","doi-asserted-by":"publisher","DOI":"10.1145\/2435349.2435380"},{"key":"e_1_2_1_79_1","doi-asserted-by":"publisher","DOI":"10.5555\/646619.697565"},{"key":"e_1_2_1_80_1","doi-asserted-by":"publisher","DOI":"10.5555\/2362793.2362821"},{"key":"e_1_2_1_81_1","doi-asserted-by":"publisher","DOI":"10.1145\/2642937.2643018"},{"volume-title":"More Sound Static Handling of Java Reflection","author":"Smaragdakis Yannis","key":"e_1_2_1_82_1","unstructured":"Yannis Smaragdakis, George Balatsouras, George Kastrinis, and Martin Bravenboer. 2015. More Sound Static Handling of Java Reflection. Springer, 485--503."},{"key":"e_1_2_1_83_1","doi-asserted-by":"publisher","DOI":"10.1145\/1926385.1926390"},{"key":"e_1_2_1_84_1","doi-asserted-by":"publisher","DOI":"10.1145\/2594291.2594320"},{"volume-title":"Retrieved","year":"2015","key":"e_1_2_1_85_1","unstructured":"Statista. 2015. Number of Available Applications in the Google Play Store from December 2009 to February 2016. Retrieved September 24, 2016, from http:\/\/www.statista.com\/statistics\/266210\/number-of-available-applications-in-the-google-play-store\/."},{"key":"e_1_2_1_86_1","doi-asserted-by":"publisher","DOI":"10.1145\/2733306"},{"key":"e_1_2_1_87_1","doi-asserted-by":"publisher","DOI":"10.1145\/2766498.2766508"},{"key":"e_1_2_1_88_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23145"},{"key":"e_1_2_1_89_1","doi-asserted-by":"publisher","DOI":"10.5555\/781995.782008"},{"key":"e_1_2_1_90_1","doi-asserted-by":"publisher","DOI":"10.1145\/2590296.2590325"},{"key":"e_1_2_1_91_1","doi-asserted-by":"publisher","DOI":"10.1145\/2591971.2592003"},{"volume-title":"Retrieved","year":"2006","key":"e_1_2_1_92_1","unstructured":"Wala. 2006. WALA. Retrieved September 24, 2016, from https:\/\/github.com\/wala\/WALA."},{"key":"e_1_2_1_93_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660357"},{"key":"e_1_2_1_94_1","doi-asserted-by":"publisher","DOI":"10.1145\/2666620.2666626"},{"key":"e_1_2_1_95_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516728"},{"key":"e_1_2_1_96_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.60"},{"key":"e_1_2_1_97_1","doi-asserted-by":"publisher","DOI":"10.1145\/2351676.2351689"},{"key":"e_1_2_1_98_1","doi-asserted-by":"publisher","DOI":"10.1145\/2185448.2185465"},{"key":"e_1_2_1_99_1","doi-asserted-by":"publisher","DOI":"10.5555\/2362793.2362822"},{"key":"e_1_2_1_100_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516676"},{"key":"e_1_2_1_101_1","doi-asserted-by":"publisher","DOI":"10.1145\/2627393.2627395"},{"key":"e_1_2_1_102_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660359"},{"key":"e_1_2_1_103_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23255"},{"key":"e_1_2_1_104_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516689"}],"container-title":["ACM Computing Surveys"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2996358","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2996358","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2996358","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T09:40:59Z","timestamp":1763458859000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2996358"}},"subtitle":["Assessment and Evaluation of Android Application Analysis Tools"],"short-title":[],"issued":{"date-parts":[[2016,10,21]]},"references-count":104,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2017,9,30]]}},"alternative-id":["10.1145\/2996358"],"URL":"https:\/\/doi.org\/10.1145\/2996358","relation":{},"ISSN":["0360-0300","1557-7341"],"issn-type":[{"type":"print","value":"0360-0300"},{"type":"electronic","value":"1557-7341"}],"subject":[],"published":{"date-parts":[[2016,10,21]]},"assertion":[{"value":"2016-03-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2016-08-01","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2016-10-21","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}